Split tunneling pros and cons

evanderb · ‎07-24-2001

I have heard from several cisco engineers as well as from other analyst that split tunneling should not be used if possible because of the security risk. Can anyone address what the specifics are with regard to these security risks ? How can split tunneling be used by a hacker to access my internal network ? Is anyone out there currently using split tunneling ? I am using Cisco 3000 series concentrators for lan to lan and the Cisco client and 3002 hardware client for remote access.

jerry.roy · ‎07-24-2001

Hello,

Split tunneling can allow what we call a "u-turn" attack. If the workstation that has established the VPN with a Secured network is using software without any sort of Firewalling built in, or there is no Physical Firewall protecting the user, Effectively the host running the VPN software could be compromised via the Internet Access portion of the split tunnel. A Cracker could compromise the connection and in turn traverse the VPN Tunnel to the Corporate Network Making Moot any Encryption whatsoever.

evanderb · ‎07-24-2001

Would that same argument be true for a hardware client such as the 3002 where the user is being PAT'd before getting to the internet and for lan to lan connections where the tunnel terminates at another Cisco 3000 ?

jerry.roy · ‎08-06-2001

Seems to me only if an exploit is available. I have not heard of any compromises where the previous case I have mention was actually accomplished. Again its theoretical and the purist say it could happen. From my limited perspective, I have not seen such.

Regards,

Jerry